首页 > 最新文献

Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles最新文献

英文 中文
Low-overhead byzantine fault-tolerant storage 低开销拜占庭式容错存储
Pub Date : 2007-10-14 DOI: 10.1145/1294261.1294269
James Hendricks, G. Ganger, M. Reiter
This paper presents an erasure-coded Byzantine fault-tolerant block storage protocol that is nearly as efficient as protocols that tolerate only crashes. Previous Byzantine fault-tolerant block storage protocols have either relied upon replication, which is inefficient for large blocks of data when tolerating multiple faults, or a combination of additional servers, extra computation, and versioned storage. To avoid these expensive techniques, our protocol employs novel mechanisms to optimize for the common case when faults and concurrency are rare. In the common case, a write operation completes in two rounds of communication and a read completes in one round. The protocol requires a short checksum comprised of cryptographic hashes and homomorphic fingerprints. It achieves throughput within 10% of the crash-tolerant protocol for writes and reads in failure-free runs when configured to tolerate up to 6 faulty servers and any number of faulty clients.
本文提出了一种擦除编码的拜占庭容错块存储协议,其效率几乎与只允许崩溃的协议一样高。以前的拜占庭容错块存储协议要么依赖于复制,这在容忍多个错误时对大型数据块来说效率低下,要么依赖于额外服务器、额外计算和版本化存储的组合。为了避免这些昂贵的技术,我们的协议采用了新的机制来优化故障和并发性很少的常见情况。在一般情况下,写操作在两轮通信中完成,读操作在一轮通信中完成。该协议需要一个由加密哈希和同态指纹组成的短校验和。当配置为允许最多6个故障服务器和任意数量的故障客户端时,它在无故障运行中实现的读写吞吐量在容错协议的10%以内。
{"title":"Low-overhead byzantine fault-tolerant storage","authors":"James Hendricks, G. Ganger, M. Reiter","doi":"10.1145/1294261.1294269","DOIUrl":"https://doi.org/10.1145/1294261.1294269","url":null,"abstract":"This paper presents an erasure-coded Byzantine fault-tolerant block storage protocol that is nearly as efficient as protocols that tolerate only crashes. Previous Byzantine fault-tolerant block storage protocols have either relied upon replication, which is inefficient for large blocks of data when tolerating multiple faults, or a combination of additional servers, extra computation, and versioned storage. To avoid these expensive techniques, our protocol employs novel mechanisms to optimize for the common case when faults and concurrency are rare. In the common case, a write operation completes in two rounds of communication and a read completes in one round. The protocol requires a short checksum comprised of cryptographic hashes and homomorphic fingerprints. It achieves throughput within 10% of the crash-tolerant protocol for writes and reads in failure-free runs when configured to tolerate up to 6 faulty servers and any number of faulty clients.","PeriodicalId":20672,"journal":{"name":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","volume":"24 1","pages":"73-86"},"PeriodicalIF":0.0,"publicationDate":"2007-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73443783","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 141
DejaView: a personal virtual computer recorder DejaView:个人虚拟电脑记录器
Pub Date : 2007-10-14 DOI: 10.1145/1294261.1294289
Oren Laadan, Ricardo A. Baratto, Dan B. Phung, S. Potter, Jason Nieh
As users interact with the world and their peers through their computers, it is becoming important to archive and later search the information that they have viewed. We present DejaView, a personal virtual computer recorder that provides a complete record of a desktop computing experience that a user can playback, browse, search, and revive seamlessly. DejaView records visual output, checkpoints corresponding application and file system state, and captures displayed text with contextual information to index the record. A user can then browse and search the record for any visual information that has been displayed on the desktop, and revive and interact with the desktop computing state corresponding to any point in the record. DejaView combines display, operating system, and file system virtualization to provide its functionality transparently without any modifications to applications, window systems, or operating system kernels. We have implemented DejaView and evaluated its performance on real-world desktop applications. Our results demonstrate that DejaView can provide continuous low-overhead recording without any user noticeable performance degradation, and allows browsing, search and playback of records fast enough for interactive use.
当用户通过他们的计算机与世界和他们的同伴进行交互时,将他们所查看的信息存档并稍后进行搜索变得越来越重要。我们介绍DejaView,一个个人虚拟计算机记录器,提供桌面计算体验的完整记录,用户可以无缝地回放、浏览、搜索和恢复。DejaView记录可视化输出,检查相应的应用程序和文件系统状态,并捕获带有上下文信息的显示文本以索引记录。然后,用户可以浏览和搜索记录,查找已显示在桌面上的任何可视化信息,并恢复记录中任意点对应的桌面计算状态并与之交互。DejaView结合了显示、操作系统和文件系统虚拟化,以透明地提供其功能,而无需对应用程序、窗口系统或操作系统内核进行任何修改。我们已经实现了DejaView,并在实际桌面应用程序中评估了它的性能。我们的结果表明,DejaView可以提供持续的低开销记录,而不会导致任何用户明显的性能下降,并且允许快速浏览、搜索和回放记录,以便进行交互使用。
{"title":"DejaView: a personal virtual computer recorder","authors":"Oren Laadan, Ricardo A. Baratto, Dan B. Phung, S. Potter, Jason Nieh","doi":"10.1145/1294261.1294289","DOIUrl":"https://doi.org/10.1145/1294261.1294289","url":null,"abstract":"As users interact with the world and their peers through their computers, it is becoming important to archive and later search the information that they have viewed. We present DejaView, a personal virtual computer recorder that provides a complete record of a desktop computing experience that a user can playback, browse, search, and revive seamlessly. DejaView records visual output, checkpoints corresponding application and file system state, and captures displayed text with contextual information to index the record. A user can then browse and search the record for any visual information that has been displayed on the desktop, and revive and interact with the desktop computing state corresponding to any point in the record. DejaView combines display, operating system, and file system virtualization to provide its functionality transparently without any modifications to applications, window systems, or operating system kernels. We have implemented DejaView and evaluated its performance on real-world desktop applications. Our results demonstrate that DejaView can provide continuous low-overhead recording without any user noticeable performance degradation, and allows browsing, search and playback of records fast enough for interactive use.","PeriodicalId":20672,"journal":{"name":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","volume":"217 1","pages":"279-292"},"PeriodicalIF":0.0,"publicationDate":"2007-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73755858","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 58
Bouncer: securing software by blocking bad input Bouncer:通过阻止不良输入来保护软件
Pub Date : 2007-10-14 DOI: 10.1145/1294261.1294274
Manuel Costa, M. Castro, Lidong Zhou, Lintao Zhang, Marcus Peinado
Attackers exploit software vulnerabilities to control or crash programs. Bouncer uses existing software instrumentation techniques to detect attacks and it generates filters automatically to block exploits of the target vulnerabilities. The filters are deployed automatically by instrumenting system calls to drop exploit messages. These filters introduce low overhead and they allow programs to keep running correctly under attack. Previous work computes filters using symbolic execution along the path taken by a sample exploit, but attackers can bypass these filters by generating exploits that follow a different execution path. Bouncer introduces three techniques to generalize filters so that they are harder to bypass: a new form of program slicing that uses a combination of static and dynamic analysis to remove unnecessary conditions from the filter; symbolic summaries for common library functions that characterize their behavior succinctly as a set of conditions on the input; and generation of alternative exploits guided by symbolic execution. Bouncer filters have low overhead, they do not have false positives by design, and our results show that Bouncer can generate filters that block all exploits of some real-world vulnerabilities.
攻击者利用软件漏洞来控制或破坏程序。Bouncer使用现有的软件检测技术来检测攻击,并自动生成过滤器来阻止目标漏洞的利用。过滤器通过检测系统调用来自动部署,以删除利用漏洞的消息。这些过滤器带来了低开销,它们允许程序在受到攻击时保持正常运行。以前的工作是沿着样本利用所采用的路径使用符号执行来计算过滤器,但是攻击者可以通过生成遵循不同执行路径的利用来绕过这些过滤器。Bouncer引入了三种技术来泛化过滤器,使它们更难被绕过:一种新形式的程序切片,它使用静态和动态分析的组合来从过滤器中删除不必要的条件;通用库函数的符号摘要,将其行为简洁地描述为一组输入条件;以及由符号执行引导的替代漏洞的生成。Bouncer过滤器的开销很低,它们在设计上没有误报,我们的结果表明,Bouncer可以生成过滤器,阻止对某些现实世界漏洞的所有利用。
{"title":"Bouncer: securing software by blocking bad input","authors":"Manuel Costa, M. Castro, Lidong Zhou, Lintao Zhang, Marcus Peinado","doi":"10.1145/1294261.1294274","DOIUrl":"https://doi.org/10.1145/1294261.1294274","url":null,"abstract":"Attackers exploit software vulnerabilities to control or crash programs. Bouncer uses existing software instrumentation techniques to detect attacks and it generates filters automatically to block exploits of the target vulnerabilities. The filters are deployed automatically by instrumenting system calls to drop exploit messages. These filters introduce low overhead and they allow programs to keep running correctly under attack. Previous work computes filters using symbolic execution along the path taken by a sample exploit, but attackers can bypass these filters by generating exploits that follow a different execution path. Bouncer introduces three techniques to generalize filters so that they are harder to bypass: a new form of program slicing that uses a combination of static and dynamic analysis to remove unnecessary conditions from the filter; symbolic summaries for common library functions that characterize their behavior succinctly as a set of conditions on the input; and generation of alternative exploits guided by symbolic execution. Bouncer filters have low overhead, they do not have false positives by design, and our results show that Bouncer can generate filters that block all exploits of some real-world vulnerabilities.","PeriodicalId":20672,"journal":{"name":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","volume":"33 1","pages":"117-130"},"PeriodicalIF":0.0,"publicationDate":"2007-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"75206599","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 39
Tolerating byzantine faults in transaction processing systems using commit barrier scheduling 在使用提交屏障调度的事务处理系统中容忍拜占庭错误
Pub Date : 2007-10-14 DOI: 10.1145/1294261.1294268
Ben Vandiver, H. Balakrishnan, B. Liskov, S. Madden
This paper describes the design, implementation, and evaluation of areplication scheme to handle Byzantine faults in transaction processing database systems. The scheme compares answers from queries and updates on multiple replicas which are unmodified, off-the-shelf systems, to provide a single database that is Byzantine fault tolerant. The scheme works when the replicas are homogeneous, but it also allows heterogeneous replication in which replicas come from different vendors. Heterogeneous replicas reduce the impact of bugs and security compromises because they are implemented independently and are thus less likely to suffer correlated failures. The main challenge in designing a replication scheme for transactionprocessing systems is ensuring that the different replicas execute transactions in equivalent serial orders while allowing a high degreeof concurrency. Our scheme meets this goal using a novel concurrency control protocol, commit barrier scheduling (CBS). We have implemented CBS in the context of a replicated SQL database, HRDB(Heterogeneous Replicated DB), which has been tested with unmodified production versions of several commercial and open source databases as replicas. Our experiments show an HRDB configuration that can tolerate one faulty replica has only a modest performance overhead(about 17% for the TPC-C benchmark). HRDB successfully masks several Byzantine faults observed in practice and we have used it to find a new bug in MySQL.
本文描述了一种用于处理事务处理数据库系统中拜占庭式故障的复制方案的设计、实现和评估。该方案比较来自多个副本的查询和更新的答案,这些副本是未修改的,现成的系统,以提供一个拜占庭式容错的单一数据库。当副本是同构的时,该方案有效,但它也允许来自不同供应商的副本的异构复制。异构副本减少了错误和安全危害的影响,因为它们是独立实现的,因此不太可能遭受相关故障。为事务处理系统设计复制方案的主要挑战是确保不同的副本以相同的串行顺序执行事务,同时允许高度并发性。我们的方案使用一种新的并发控制协议——提交屏障调度(CBS)来实现这一目标。我们在复制SQL数据库HRDB(异构复制数据库)的上下文中实现了CBS,该数据库已经使用几个商业和开源数据库的未修改生产版本作为副本进行了测试。我们的实验表明,可以容忍一个错误副本的HRDB配置只有适度的性能开销(对于TPC-C基准测试约为17%)。HRDB成功地掩盖了在实践中观察到的几个拜占庭错误,我们已经用它来发现MySQL中的一个新错误。
{"title":"Tolerating byzantine faults in transaction processing systems using commit barrier scheduling","authors":"Ben Vandiver, H. Balakrishnan, B. Liskov, S. Madden","doi":"10.1145/1294261.1294268","DOIUrl":"https://doi.org/10.1145/1294261.1294268","url":null,"abstract":"This paper describes the design, implementation, and evaluation of areplication scheme to handle Byzantine faults in transaction processing database systems. The scheme compares answers from queries and updates on multiple replicas which are unmodified, off-the-shelf systems, to provide a single database that is Byzantine fault tolerant. The scheme works when the replicas are homogeneous, but it also allows heterogeneous replication in which replicas come from different vendors. Heterogeneous replicas reduce the impact of bugs and security compromises because they are implemented independently and are thus less likely to suffer correlated failures.\u0000 The main challenge in designing a replication scheme for transactionprocessing systems is ensuring that the different replicas execute transactions in equivalent serial orders while allowing a high degreeof concurrency. Our scheme meets this goal using a novel concurrency control protocol, commit barrier scheduling (CBS). We have implemented CBS in the context of a replicated SQL database, HRDB(Heterogeneous Replicated DB), which has been tested with unmodified production versions of several commercial and open source databases as replicas. Our experiments show an HRDB configuration that can tolerate one faulty replica has only a modest performance overhead(about 17% for the TPC-C benchmark). HRDB successfully masks several Byzantine faults observed in practice and we have used it to find a new bug in MySQL.","PeriodicalId":20672,"journal":{"name":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","volume":"25 1","pages":"59-72"},"PeriodicalIF":0.0,"publicationDate":"2007-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76581136","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 101
Staged deployment in mirage, an integrated software upgrade testing and distribution system 在海市蜃楼分期部署,集成了软件升级测试和分发系统
Pub Date : 2007-10-14 DOI: 10.1145/1294261.1294283
Olivier Crameri, N. Knežević, Dejan Kostic, R. Bianchini, W. Zwaenepoel
Despite major advances in the engineering of maintainable and robust software over the years, upgrading software remains a primitive and error-prone activity. In this paper, we argue that several problems with upgrading software are caused by a poor integration between upgrade deployment, user-machine testing, and problem reporting. To support this argument, we present a characterization of softwareupgrades resulting from a survey we conducted of 50 system administrators. Motivated by the survey results, we present Mirage, a distributed framework for integrating upgrade deployment, user-machine testing, and problem reporting into the overall upgrade development process. Our evaluation focuses on the most novel aspect of Mirage, namely its staged upgrade deployment based on the clustering of usermachines according to their environments and configurations. Our results suggest that Mirage's staged deployment is effective for real upgrade problems.
尽管多年来在可维护和健壮的软件工程方面取得了重大进展,但升级软件仍然是一项原始且容易出错的活动。在本文中,我们认为升级软件的几个问题是由升级部署、用户-机器测试和问题报告之间的不良集成引起的。为了支持这一观点,我们对50位系统管理员进行了一项调查,得出了软件升级的特征。在调查结果的推动下,我们提出了Mirage,这是一个将升级部署、用户-机器测试和问题报告集成到整个升级开发过程中的分布式框架。我们的评估集中在Mirage最新颖的方面,即它基于用户机器根据其环境和配置进行集群化的阶段升级部署。我们的结果表明,Mirage的分阶段部署对于实际的升级问题是有效的。
{"title":"Staged deployment in mirage, an integrated software upgrade testing and distribution system","authors":"Olivier Crameri, N. Knežević, Dejan Kostic, R. Bianchini, W. Zwaenepoel","doi":"10.1145/1294261.1294283","DOIUrl":"https://doi.org/10.1145/1294261.1294283","url":null,"abstract":"Despite major advances in the engineering of maintainable and robust software over the years, upgrading software remains a primitive and error-prone activity. In this paper, we argue that several problems with upgrading software are caused by a poor integration between upgrade deployment, user-machine testing, and problem reporting. To support this argument, we present a characterization of softwareupgrades resulting from a survey we conducted of 50 system administrators. Motivated by the survey results, we present Mirage, a distributed framework for integrating upgrade deployment, user-machine testing, and problem reporting into the overall upgrade development process. Our evaluation focuses on the most novel aspect of Mirage, namely its staged upgrade deployment based on the clustering of usermachines according to their environments and configurations. Our results suggest that Mirage's staged deployment is effective for real upgrade problems.","PeriodicalId":20672,"journal":{"name":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","volume":"57 1","pages":"221-236"},"PeriodicalIF":0.0,"publicationDate":"2007-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83994178","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 93
Information flow control for standard OS abstractions 标准操作系统抽象的信息流控制
Pub Date : 2007-10-14 DOI: 10.1145/1294261.1294293
Max Krohn, A. Yip, Micah Z. Brodsky, Natan Cliffer, F. Kaashoek, E. Kohler, R. Morris
Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flows between the pieces of an application and the outside world. As applied to privacy, DIFC allows untrusted software to compute with private data while trusted security code controls the release of that data. As applied to integrity, DIFC allows trusted code to protect untrusted software from unexpected malicious inputs. In either case, only bugs in the trusted code, which tends to be small and isolated, can lead to security violations. We present Flume, a new DIFC model that applies at the granularity of operating system processes and standard OS abstractions (e.g., pipes and file descriptors). Flume was designed for simplicity of mechanism, to ease DIFC's use in existing applications, and to allow safe interaction between conventional and DIFC-aware processes. Flume runs as a user-level reference monitor onLinux. A process confined by Flume cannot perform most system calls directly; instead, an interposition layer replaces system calls with IPCto the reference monitor, which enforces data flowpolicies and performs safe operations on the process's behalf. We ported a complex web application (MoinMoin Wiki) to Flume, changingonly 2% of the original code. Performance measurements show a 43% slowdown on read workloadsand a 34% slowdown on write workloads, which aremostly due to Flume's user-level implementation.
分散信息流控制(DIFC)是一种安全方法,它允许应用程序编写者控制数据如何在应用程序的各个部分和外部世界之间流动。当应用于隐私时,DIFC允许不受信任的软件使用私有数据进行计算,而受信任的安全代码控制该数据的发布。当应用于完整性时,DIFC允许受信任的代码保护不受信任的软件免受意外的恶意输入。在任何一种情况下,只有受信任代码中的错误(往往是小而孤立的)才会导致安全违规。我们提出了Flume,一个新的DIFC模型,它适用于操作系统进程和标准操作系统抽象(例如,管道和文件描述符)的粒度。Flume的设计是为了简化机制,简化DIFC在现有应用程序中的使用,并允许传统过程和DIFC感知过程之间的安全交互。Flume作为用户级参考监视器在linux上运行。受Flume限制的进程不能直接执行大多数系统调用;取而代之的是,一个介入层用引用监视器的ipc代替系统调用,它执行数据流策略并代表进程执行安全操作。我们将一个复杂的web应用程序(MoinMoin Wiki)移植到Flume,只修改了2%的原始代码。性能测量显示,读工作负载降低了43%,写工作负载降低了34%,这主要是由于Flume的用户级实现。
{"title":"Information flow control for standard OS abstractions","authors":"Max Krohn, A. Yip, Micah Z. Brodsky, Natan Cliffer, F. Kaashoek, E. Kohler, R. Morris","doi":"10.1145/1294261.1294293","DOIUrl":"https://doi.org/10.1145/1294261.1294293","url":null,"abstract":"Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flows between the pieces of an application and the outside world. As applied to privacy, DIFC allows untrusted software to compute with private data while trusted security code controls the release of that data. As applied to integrity, DIFC allows trusted code to protect untrusted software from unexpected malicious inputs. In either case, only bugs in the trusted code, which tends to be small and isolated, can lead to security violations.\u0000 We present Flume, a new DIFC model that applies at the granularity of operating system processes and standard OS abstractions (e.g., pipes and file descriptors). Flume was designed for simplicity of mechanism, to ease DIFC's use in existing applications, and to allow safe interaction between conventional and DIFC-aware processes. Flume runs as a user-level reference monitor onLinux. A process confined by Flume cannot perform most system calls directly; instead, an interposition layer replaces system calls with IPCto the reference monitor, which enforces data flowpolicies and performs safe operations on the process's behalf. We ported a complex web application (MoinMoin Wiki) to Flume, changingonly 2% of the original code. Performance measurements show a 43% slowdown on read workloadsand a 34% slowdown on write workloads, which aremostly due to Flume's user-level implementation.","PeriodicalId":20672,"journal":{"name":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","volume":"79 1","pages":"321-334"},"PeriodicalIF":0.0,"publicationDate":"2007-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90151537","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 503
AutoBash: improving configuration management with operating system causality analysis AutoBash:通过操作系统因果分析改进配置管理
Pub Date : 2007-10-14 DOI: 10.1145/1294261.1294284
Ya-Yunn Su, Mona Attariyan, J. Flinn
AutoBash is a set of interactive tools that helps users and system administrators manage configurations. AutoBash leverages causal tracking support implemented within our modified Linux kernel to understand the inputs (causal dependencies) and outputs (causal effects) of configuration actions. It uses OS-level speculative execution to try possible actions, examine their effects, and roll them back when necessary. AutoBash automates many of the tedious parts of trying to fix a misconfiguration, including searching through possible solutions, testing whether a particular solution fixes a problem, and undoing changes to persistent and transient state when a solution fails. Our results show that AutoBash correctly identifies the solution to several CVS, gcc cross-compiler, and Apache configuration errors. We also show that causal analysis reduces AutoBash's search time by an average of 35% and solution verification time by an average of 70%.
AutoBash是一组交互式工具,可帮助用户和系统管理员管理配置。AutoBash利用在修改后的Linux内核中实现的因果跟踪支持来理解配置操作的输入(因果依赖)和输出(因果效应)。它使用操作系统级别的推测执行来尝试可能的操作,检查它们的效果,并在必要时回滚它们。AutoBash自动化了尝试修复错误配置的许多繁琐部分,包括搜索可能的解决方案,测试特定解决方案是否修复了问题,以及在解决方案失败时撤销对持久和瞬态状态的更改。我们的结果表明,AutoBash可以正确识别CVS、gcc交叉编译器和Apache配置错误的解决方案。我们还表明,因果分析将AutoBash的搜索时间平均减少了35%,解决方案验证时间平均减少了70%。
{"title":"AutoBash: improving configuration management with operating system causality analysis","authors":"Ya-Yunn Su, Mona Attariyan, J. Flinn","doi":"10.1145/1294261.1294284","DOIUrl":"https://doi.org/10.1145/1294261.1294284","url":null,"abstract":"AutoBash is a set of interactive tools that helps users and system administrators manage configurations. AutoBash leverages causal tracking support implemented within our modified Linux kernel to understand the inputs (causal dependencies) and outputs (causal effects) of configuration actions. It uses OS-level speculative execution to try possible actions, examine their effects, and roll them back when necessary. AutoBash automates many of the tedious parts of trying to fix a misconfiguration, including searching through possible solutions, testing whether a particular solution fixes a problem, and undoing changes to persistent and transient state when a solution fails. Our results show that AutoBash correctly identifies the solution to several CVS, gcc cross-compiler, and Apache configuration errors. We also show that causal analysis reduces AutoBash's search time by an average of 35% and solution verification time by an average of 70%.","PeriodicalId":20672,"journal":{"name":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","volume":"39 1","pages":"237-250"},"PeriodicalIF":0.0,"publicationDate":"2007-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73833179","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 136
Protection and communication abstractions for web browsers in MashupOS MashupOS中web浏览器的保护和通信抽象
Pub Date : 2007-10-14 DOI: 10.1145/1294261.1294263
Helen J. Wang, Xiaofeng Fan, Jon Howell, Collin Jackson
Web browsers have evolved from a single-principal platform on which one site is browsed at a time into a multi-principal platform on which data and code from mutually distrusting sites interact programmatically in a single page at the browser. Today's "Web 2.0" applications (or mashups) offer rich services, rivaling those of desktop PCs. However, the protection andcommunication abstractions offered by today's browsers remain suitable onlyfor a single-principal system--either no trust through completeisolation between principals (sites) or full trust by incorporating third party code as libraries. In this paper, we address this deficiency by identifying and designing the missing abstractions needed for a browser-based multi-principal platform. We have designed our abstractions to be backward compatible and easily adoptable. We have built a prototype system that realizes almost all of our abstractions and their associated properties. Our evaluation shows that our abstractions make it easy to build more secure and robust client-side Web mashups and can be easily implemented with negligible performance overhead.
Web浏览器已经从一次浏览一个站点的单一主体平台发展到多主体平台,在该平台上,来自相互不信任的站点的数据和代码以编程方式在浏览器的单个页面中进行交互。今天的“Web 2.0”应用程序(或mashup)提供丰富的服务,可以与桌面pc相媲美。然而,今天的浏览器提供的保护和通信抽象仍然只适用于单一主体系统——要么通过主体(站点)之间的完全隔离来实现无信任,要么通过将第三方代码作为库来实现完全信任。在本文中,我们通过识别和设计基于浏览器的多主体平台所需的缺失抽象来解决这一缺陷。我们设计的抽象是向后兼容和易于采用的。我们已经建立了一个原型系统,它实现了几乎所有的抽象及其相关属性。我们的评估表明,我们的抽象可以很容易地构建更安全、更健壮的客户端Web mashup,并且可以很容易地实现,性能开销可以忽略不计。
{"title":"Protection and communication abstractions for web browsers in MashupOS","authors":"Helen J. Wang, Xiaofeng Fan, Jon Howell, Collin Jackson","doi":"10.1145/1294261.1294263","DOIUrl":"https://doi.org/10.1145/1294261.1294263","url":null,"abstract":"Web browsers have evolved from a single-principal platform on which one site is browsed at a time into a multi-principal platform on which data and code from mutually distrusting sites interact programmatically in a single page at the browser. Today's \"Web 2.0\" applications (or mashups) offer rich services, rivaling those of desktop PCs. However, the protection andcommunication abstractions offered by today's browsers remain suitable onlyfor a single-principal system--either no trust through completeisolation between principals (sites) or full trust by incorporating third party code as libraries. In this paper, we address this deficiency by identifying and designing the missing abstractions needed for a browser-based multi-principal platform. We have designed our abstractions to be backward compatible and easily adoptable. We have built a prototype system that realizes almost all of our abstractions and their associated properties. Our evaluation shows that our abstractions make it easy to build more secure and robust client-side Web mashups and can be easily implemented with negligible performance overhead.","PeriodicalId":20672,"journal":{"name":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","volume":"30 1","pages":"1-16"},"PeriodicalIF":0.0,"publicationDate":"2007-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76330180","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 149
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes SecVisor:一个小型管理程序,为商用操作系统提供终身内核代码完整性
Pub Date : 2007-10-14 DOI: 10.1145/1294261.1294294
Arvind Seshadri, M. Luk, Ning Qu, A. Perrig
We propose SecVisor, a tiny hypervisor that ensures code integrity for commodity OS kernels. In particular, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime. This protects the kernel against code injection attacks, such as kernel rootkits. SecVisor can achieve this propertyeven against an attacker who controls everything but the CPU, the memory controller, and system memory chips. Further, SecVisor can even defend against attackers with knowledge of zero-day kernel exploits. Our goal is to make SecVisor amenable to formal verificationand manual audit, thereby making it possible to rule out known classes of vulnerabilities. To this end, SecVisor offers small code size and small external interface. We rely on memory virtualization to build SecVisor and implement two versions, one using software memory virtualization and the other using CPU-supported memory virtualization. The code sizes of the runtime portions of these versions are 1739 and 1112 lines, respectively. The size of the external interface for both versions of SecVisor is 2 hypercalls. It is easy to port OS kernels to SecVisor. We port the Linux kernel version 2.6.20 by adding 12 lines and deleting 81 lines, out of a total of approximately 4.3 million lines of code in the kernel.
我们提出SecVisor,这是一个小型管理程序,可以确保商品操作系统内核的代码完整性。特别是,SecVisor确保只有用户批准的代码才能在整个系统生命周期内以内核模式执行。这可以保护内核免受代码注入攻击,例如内核rootkit。SecVisor可以实现这种特性,即使攻击者控制除了CPU、内存控制器和系统内存芯片之外的所有东西。此外,SecVisor甚至可以防御了解零日内核漏洞的攻击者。我们的目标是使SecVisor能够接受正式的验证和手动审计,从而使排除已知的漏洞类别成为可能。为此,SecVisor提供了小代码大小和小外部接口。我们依靠内存虚拟化来构建SecVisor,并实现了两个版本,一个使用软件内存虚拟化,另一个使用cpu支持的内存虚拟化。这些版本的运行时部分的代码大小分别为1739行和1112行。两个版本的SecVisor的外部接口的大小都是2个hypercall。将操作系统内核移植到SecVisor很容易。我们移植了Linux内核2.6.20版本,在内核中总共大约430万行代码中增加了12行,删除了81行。
{"title":"SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes","authors":"Arvind Seshadri, M. Luk, Ning Qu, A. Perrig","doi":"10.1145/1294261.1294294","DOIUrl":"https://doi.org/10.1145/1294261.1294294","url":null,"abstract":"We propose SecVisor, a tiny hypervisor that ensures code integrity for commodity OS kernels. In particular, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime. This protects the kernel against code injection attacks, such as kernel rootkits. SecVisor can achieve this propertyeven against an attacker who controls everything but the CPU, the memory controller, and system memory chips. Further, SecVisor can even defend against attackers with knowledge of zero-day kernel exploits.\u0000 Our goal is to make SecVisor amenable to formal verificationand manual audit, thereby making it possible to rule out known classes of vulnerabilities. To this end, SecVisor offers small code size and small external interface. We rely on memory virtualization to build SecVisor and implement two versions, one using software memory virtualization and the other using CPU-supported memory virtualization. The code sizes of the runtime portions of these versions are 1739 and 1112 lines, respectively. The size of the external interface for both versions of SecVisor is 2 hypercalls. It is easy to port OS kernels to SecVisor. We port the Linux kernel version 2.6.20 by adding 12 lines and deleting 81 lines, out of a total of approximately 4.3 million lines of code in the kernel.","PeriodicalId":20672,"journal":{"name":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","volume":"73 7 1","pages":"335-350"},"PeriodicalIF":0.0,"publicationDate":"2007-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87778868","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 716
Integrating concurrency control and energy management in device drivers 在设备驱动程序中集成并发控制和能量管理
Pub Date : 2007-10-14 DOI: 10.1145/1294261.1294286
K. Klues, V. Handziski, Chenyang Lu, A. Wolisz, D. Culler, David E. Gay, P. Levis
Energy management is a critical concern in wireless sensornets. Despite its importance, sensor network operating systems today provide minimal energy management support, requiring applications to explicitly manage system power states. To address this problem, we present ICEM, a device driver architecture that enables simple, energy efficient wireless sensornet applications. The key insight behind ICEMis that the most valuable information an application can give the OS for energy management is its concurrency. Using ICEM, a low-rate sensing application requires only a single line of energy management code and has an efficiency within 1.6% of a hand-tuned implementation. ICEM's effectiveness questions the assumption that sensornet applications must be responsible for all power management and sensornets cannot have a standardized OS with a simple API.
在无线传感器中,能量管理是一个关键问题。尽管传感器网络操作系统很重要,但它目前提供的能量管理支持很少,需要应用程序明确地管理系统电源状态。为了解决这个问题,我们提出了ICEM,一种设备驱动架构,可以实现简单,节能的无线传感器网络应用。icems背后的关键见解是,应用程序可以为操作系统提供的最有价值的信息是其并发性。使用ICEM,低速率传感应用只需要一行能量管理代码,并且效率在手动调优实现的1.6%以内。ICEM的有效性质疑了传感器应用程序必须负责所有电源管理的假设,并且传感器不能具有具有简单API的标准化操作系统。
{"title":"Integrating concurrency control and energy management in device drivers","authors":"K. Klues, V. Handziski, Chenyang Lu, A. Wolisz, D. Culler, David E. Gay, P. Levis","doi":"10.1145/1294261.1294286","DOIUrl":"https://doi.org/10.1145/1294261.1294286","url":null,"abstract":"Energy management is a critical concern in wireless sensornets. Despite its importance, sensor network operating systems today provide minimal energy management support, requiring applications to explicitly manage system power states. To address this problem, we present ICEM, a device driver architecture that enables simple, energy efficient wireless sensornet applications. The key insight behind ICEMis that the most valuable information an application can give the OS for energy management is its concurrency. Using ICEM, a low-rate sensing application requires only a single line of energy management code and has an efficiency within 1.6% of a hand-tuned implementation. ICEM's effectiveness questions the assumption that sensornet applications must be responsible for all power management and sensornets cannot have a standardized OS with a simple API.","PeriodicalId":20672,"journal":{"name":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","volume":"1 1","pages":"251-264"},"PeriodicalIF":0.0,"publicationDate":"2007-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83590689","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 88
期刊
Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1